expression rejects all packets

Jon Dugan jdugan at ncsa.uiuc.edu
Thu Sep 6 17:10:22 PDT 2001


  When I start up bro, I get the following message:

  #./bro -i sk0 -i sk1 mt ncsa
  listening on sk0
  ./bro: problem with interface sk1 - pcap_compile((vlan) and (((((((((ip[6:2] &
  0x3fff != 0) and tcp) or (tcp[13] & 0x7 != 0)) or (port finger)) or (tcp port
  113)) or (port ftp)) or (port telnet or tcp port 513)) or (port 111)) or (udp
  port 123))): expression rejects all packets

  the contents of ncsa.bro are:

    redef restrict_filter = "vlan";

  it's weird it looks like the pcap expression compiles for one interface but
  not the second.

  the link i am running bro on uses 802.1Q VLAN tagging, which are supported
  by recent versions of libpcap.  (well, mostly supported, you can either look
  at tagged frames or frames on the native VLAN, but not both at the same time
  -- because of the way libpcap handles the VLAN tags internally.  for my
  purposes i don't need to look at the native VLAN since there is no traffic
  on it.)

  in order to get this far i had to rearrange the order of capture_f and
  restrict_f in main.cc, i put restrict on the left and capture on the left.
  without doing that the expression wouldn't compile the pcap expression for
  the first interface.

  any suggestions?

  thanks,

Jon
-- 
Jon Dugan             |  Senior Network Engineer, NCSA Network Development
jdugan at ncsa.uiuc.edu  |  269 CAB, 605 E Springfield, Champaign, IL 61820
217-244-7715          |  http://www.ncsa.uiuc.edu/people/jdugan



More information about the Bro mailing list